Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01cmNjLTZjbWotNzcyOM0wxA
Cross-site Scripting in BookStack
Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.
Permalink: https://github.com/advisories/GHSA-5rcc-6cmj-7728JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cmNjLTZjbWotNzcyOM0wxA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-5rcc-6cmj-7728, CVE-2022-0877
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0877
- https://github.com/bookstackapp/bookstack/commit/856fca8289b7370cafa033ea21c408e7d4303fd6
- https://huntr.dev/bounties/b04df4e3-ae5a-4dc6-81ec-496248b15f3c
- https://github.com/advisories/GHSA-5rcc-6cmj-7728
Blast Radius: 1.0
Affected Packages
packagist:ssddanbrown/bookstack
Dependent packages: 0Dependent repositories: 0
Downloads: 112 total
Affected Version Ranges: < 22.02.3
Fixed in: 22.02.3
All affected versions: 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.2, 0.7.3, 0.7.4, 0.7.6, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.30.0, 0.30.1, 0.30.2, 0.30.3, 0.30.4, 0.30.5, 0.30.6, 0.30.7, 0.31.0, 0.31.1, 0.31.2, 0.31.3, 0.31.4, 0.31.5, 0.31.6, 0.31.7, 0.31.8, 21.4.1, 21.4.2, 21.4.3, 21.4.4, 21.4.5, 21.4.6, 21.5.1, 21.5.2, 21.5.3, 21.5.4, 21.8.1, 21.8.2, 21.8.3, 21.8.4, 21.8.5, 21.8.6, 21.10.1, 21.10.2, 21.10.3, 21.11.1, 21.11.2, 21.11.3, 21.12.1, 21.12.2, 21.12.3, 21.12.4, 21.12.5, 22.2.1, 22.2.2
All unaffected versions: 22.2.3, 22.3.1, 22.4.1, 22.4.2, 22.6.1, 22.6.2, 22.7.1, 22.7.2, 22.7.3, 22.9.1, 22.10.1, 22.10.2, 22.11.1, 23.1.1, 23.2.1, 23.2.2, 23.2.3, 23.5.1, 23.5.2, 23.6.1, 23.6.2, 23.8.1, 23.8.2, 23.8.3, 23.10.1, 23.10.2, 23.10.3, 23.10.4, 23.12.1, 23.12.2, 23.12.3, 24.2.1, 24.2.2, 24.2.3